CBOR Web Token (CWT) Claims

Created: 2018-03-22
Last Updated: 2025-05-09
Available Formats: XML
HTML
Plain text

Registries Included Below

CBOR Web Token (CWT) Claims
CWT Confirmation Methods

CBOR Web Token (CWT) Claims

Expert(s)

Mike Jones, Hannes Tschofenig, Ludwig Seitz

Reference

[RFC8392]

Note

Registration requests should be sent to the [mailing list] described in 
[RFC8392]. If approved, designated experts should notify IANA within 
three weeks. For assistance, please contact iana@iana.org. IANA does not 
monitor the list.

Available Formats

CSV

Range	Registration Procedures
Integer values from -256 to 255	Standards Action
Integer values from -65536 to -257	Specification Required
Integer values from 256 to 65535	Specification Required
Integer values greater than 65535	Expert Review
Strings of length 1	Standards Action
Strings of length 2	Specification Required
Strings of length greater than 2	Expert Review

Claim Name	Claim Description	JWT Claim Name	Claim Key	Claim Value Type	Change Controller	Reference
Reserved for Private Use			less than -65536			[RFC8392]
Unassigned			-65536 to -262
globalplatform_component	This claim holds an array of CBOR maps in which each array entry holds a map containing claims about a GlobalPlatform component that is within the boundary of the enclosing Entity Attestation Token.	N/A	-261	map	[GlobalPlatform_Inc.]	[GlobalPlatform Entity Attestation Protocol Specification, GPP_SPE_001, Section 6.5.]
hcert	Health Certificate	hcert	-260	map	[European_eHealth_Network]	[Electronic Health Certificate Specification]
EUPHNonce	Challenge Nonce	EUPHNonce	-259	bstr	[FIDO_Alliance]	[FIDO Device Onboard Specification]
EATMAROEPrefix	Signing prefix for multi-app restricted operating environments	EATMAROEPrefix	-258	bstr	[FIDO_Alliance]	[FIDO Device Onboard Specification]
EAT-FDO	EAT-FDO may contain related to FIDO Device Onboarding	EAT-FDO	-257	array	[FIDO_Alliance]	[FIDO Device Onboard Specification]
Unassigned			-256 to -1
Reserved	This registration reserves the key value 0		0		[IESG]	[RFC8392]
iss	Issuer	iss	1	text string	[IESG]	[RFC8392]
sub	Subject	sub	2	text string	[IESG]	[RFC8392]
aud	Audience	aud	3	text string	[IESG]	[RFC8392]
exp	Expiration Time	exp	4	integer or floating-point number	[IESG]	[RFC8392]
nbf	Not Before	nbf	5	integer or floating-point number	[IESG]	[RFC8392]
iat	Issued At	iat	6	integer or floating-point number	[IESG]	[RFC8392]
cti	CWT ID	jti	7	byte string	[IESG]	[RFC8392]
cnf	Confirmation	cnf	8	map	[IESG]	[RFC8747]
scope	The scope of an access token, as defined in [RFC6749].	scope	9	byte string or text string	[IESG]	[RFC8693, Section 4.2]
Nonce	Nonce	eat_nonce	10	bstr or array	[IETF]	[RFC9711]
Unassigned			11 to 37
ace_profile	The ACE profile a token is supposed to be used with.	ace_profile	38	integer	[IETF]	[RFC9200, Section 5.10]
cnonce	The client-nonce sent to the AS by the RS via the client.	cnonce	39	byte string	[IETF]	[RFC9200, Section 5.10]
exi	The expiration time of a token measured from when it was received at the RS in seconds.	exi	40	unsigned integer	[IETF]	[RFC9200, Section 5.10.3]
Unassigned			41 to 168
identity-data	Registering the claim for storing identity data of a person, which could be personally identifiable data (PII) mostly used in Foundational/National ID for cross-border interoperability.	identity-data	169	map	[MOSIP]	[CBOR Identity Data in QR Code, Section 3][CBOR Identity Data in QR Code, Section 4]
Unassigned			170 to 255
UEID	Universal Entity ID	ueid	256	bstr	[IETF]	[RFC9711]
SUEIDs	Semipermanent UEIDs	sueids	257	map	[IETF]	[RFC9711]
Hardware OEM ID	Hardware OEM ID	oemid	258	bstr or int	[IETF]	[RFC9711]
Hardware Model	Model identifier for hardware	hwmodel	259	bstr	[IETF]	[RFC9711]
Hardware Version	Hardware Version Identifier	hwversion	260	array	[IETF]	[RFC9711]
Uptime	Uptime	uptime	261	uint	[IETF]	[RFC9711]
OEM Authorized Boot	Indicates whether the software booted was OEM authorized	oemboot	262	bool	[IETF]	[RFC9711]
Debug Status	The status of debug facilities	dbgstat	263	uint	[IETF]	[RFC9711]
Location	The geographic location	location	264	map	[IETF]	[RFC9711]
EAT Profile	The EAT profile followed	eat_profile	265	uri or oid	[IETF]	[RFC9711]
Submodules Section	The section containing submodules	submods	266	map	[IETF]	[RFC9711]
Boot Count	The number of times the entity or submodule has been booted	bootcount	267	uint	[IETF]	[RFC9711]
Boot Seed	Identifies a boot cycle	bootseed	268	bstr	[IETF]	[RFC9711]
DLOAs	Certifications received as Digital Letters of Approval	dloas	269	array	[IETF]	[RFC9711]
Software Name	The name of the software running in the entity	swname	270	tstr	[IETF]	[RFC9711]
Software Version	The version of software running in the entity	swversion	271	array	[IETF]	[RFC9711]
Software Manifests	Manifests describing the software installed on the entity	manifests	272	array	[IETF]	[RFC9711]
Measurements	Measurements of the software, memory configuration, and such on the entity	measurements	273	array	[IETF]	[RFC9711]
Software Measurement Results	The results of comparing software measurements to reference values	measres	274	array	[IETF]	[RFC9711]
Intended Use	The intended use of the EAT	intuse	275	uint	[IETF]	[RFC9711]
Unassigned			276 to 281
geohash	Geohash String	geohash	282	text string or array	[CTA]	[Fast and Readable Geographical Hashing (CTA-5009)]
Unassigned			283 to 299
wmver	The version of the WM Token	wmver	300	unsigned integer	[DASH-IF]	[ETSI TS 104 002 V1.1.1]
wmvnd	The WM technology vendor	wmvnd	301	unsigned integer	[DASH-IF]	[ETSI TS 104 002 V1.1.1]
wmpatlen	The length in bits of the WM pattern	wmpatlen	302	unsigned integer	[DASH-IF]	[ETSI TS 104 002 V1.1.1]
wmsegduration	The nominal duration of a segment	wmsegduration	303	map	[DASH-IF]	[ETSI TS 104 002 V1.1.1]
wmpattern	The WM pattern	wmpattern	304	COSE_Encrypt0 or COSE_Encrypt or byte string	[DASH-IF]	[ETSI TS 104 002 V1.1.1]
wmid	Used as input to derive the WM pattern for indirect mode	wmid	305	text string	[DASH-IF]	[ETSI TS 104 002 V1.1.1]
wmopid	Used as additional input to derive the WM pattern for indirect mode	wmopid	306	unsigned integer	[DASH-IF]	[ETSI TS 104 002 V1.1.1]
wmkeyver	The key to use for derivation of the WM pattern in indirect mode	wmkeyver	307	unsigned integer	[DASH-IF]	[ETSI TS 104 002 V1.1.1]
catreplay	Common Access Token Replay	N/A	308	unsigned integer	[CTA]	[CTA-5007]
catpor	Common Access Token Probability of Rejection	N/A	309	array	[CTA]	[CTA-5007]
catv	Common Access Token Version	N/A	310	unsigned integer	[CTA]	[CTA-5007]
catnip	Common Access Token Network IP	N/A	311	array	[CTA]	[CTA-5007]
catu	Common Access Token URI	N/A	312	map	[CTA]	[CTA-5007]
catm	Common Access Token Method	N/A	313	array	[CTA]	[CTA-5007]
catalpn	Common Access Token ALPN	N/A	314	array	[CTA]	[CTA-5007]
cath	Common Access Token Header	N/A	315	map	[CTA]	[CTA-5007]
catgeoiso3166	Common Access Token Geographic ISO3166	N/A	316	array	[CTA]	[CTA-5007]
catgeocoord	Common Access Token Geographic Coordinate	N/A	317	array	[CTA]	[CTA-5007]
catgeoalt	Common Access Token Geographic Altitude	N/A	318	array	[CTA]	[CTA-5007]
cattpk	Common Access Token TLS Public Key	N/A	319	byte string	[CTA]	[CTA-5007]
catifdata	Common Access Token If Data	N/A	320	string or array	[CTA]	[CTA-5007]
catdpop	Common Access Token DPoP Settings	N/A	321	map	[CTA]	[CTA-5007]
catif	Common Access Token If	N/A	322	map	[CTA]	[CTA-5007]
catr	Common Access Token Renewal	N/A	323	map	[CTA]	[CTA-5007]
Unassigned			324 to 2393
psa-client-id	PSA Client ID	N/A	2394	signed integer	[Hannes_Tschofenig]	[RFC-tschofenig-rats-psa-token-24, Section 4.1.2]
psa-security-lifecycle	PSA Security Lifecycle	N/A	2395	unsigned integer	[Hannes_Tschofenig]	[RFC-tschofenig-rats-psa-token-24, Section 4.3.1]
psa-implementation-id	PSA Implementation ID	N/A	2396	byte string	[Hannes_Tschofenig]	[RFC-tschofenig-rats-psa-token-24, Section 4.2.2]
Unassigned				2397
psa-certification-reference	PSA Certification Reference	N/A	2398	text string	[Hannes_Tschofenig]	[RFC-tschofenig-rats-psa-token-24, Section 4.2.3]
psa-software-components	PSA Software Components	N/A	2399	array	[Hannes_Tschofenig]	[RFC-tschofenig-rats-psa-token-24, Section 4.4.1]
psa-verification-service-indicator	PSA Verification Service Indicator	N/A	2400	text string	[Hannes_Tschofenig]	[RFC-tschofenig-rats-psa-token-24, Section 4.5.1]
Unassigned			2401 to 65535

CWT Confirmation Methods

Registration Procedure(s)

Specification Required

Expert(s)

Ludwig Seitz, Mike Jones

Reference

[RFC8747]

Note

Registration requests should be sent to the [mailing list] described in 
[RFC8747]. If approved, designated experts should notify IANA within 
three weeks. For assistance, please contact iana@iana.org. IANA does not 
monitor the list.

Available Formats

CSV

Confirmation Method Name	Confirmation Method Description	JWT Confirmation Method Name	Confirmation Key	Confirmation Value Type	Change Controller	Reference
COSE_Key	COSE_Key Representing Public Key	jwk	1	COSE_Key structure	[IESG]	[RFC8747, Section 3.2]
Encrypted_COSE_Key	Encrypted COSE_Key	jwe	2	COSE_Encrypt or COSE_Encrypt0 structure (with an optional corresponding COSE_Encrypt or COSE_Encrypt0 tag)	[IESG]	[RFC8747, Section 3.3]
kid	Key Identifier	kid	3	binary string	[IESG]	[RFC8747, Section 3.4]
osc	OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation	osc	4	map	[IETF]	[RFC9203, Section 3.2.1]
ckt	COSE Key SHA-256 Thumbprint	(none)	5	binary string	[IETF]	[RFC9679]
Unassigned			6-322
jkt	JWK SHA-256 Thumbprint	jkt	323	byte string	[CTA]	[CTA-5007]

Contact Information

ID	Name	Contact URI	Last Updated
[CTA]	Consumer Technology Association	mailto:standards&cta.tech	2024-02-21
[DASH-IF]	DASH Industry Forum	https://dashif.org	2023-03-01
[European_eHealth_Network]	European eHealth Network	mailto:jakob&kirei.se	2021-04-15
[FIDO_Alliance]	FIDO Alliance	mailto:iana-request&fidoalliance.org	2021-03-05
[GlobalPlatform_Inc.]	GlobalPlatform Inc.	mailto:secretariat&globalplatform.org	2024-08-14
[Hannes_Tschofenig]	Hannes Tschofenig	mailto:hannes.tschofenig&arm.com	2022-07-27
[IESG]	IESG	mailto:iesg&ietf.org
[IETF]	IETF	mailto:iesg&ietf.org
[MOSIP]	MOSIP	mailto:resham&mosip.io	2024-05-15